Systems and methods for dynamic zone protection of networks

ABSTRACT

Disclosed are systems and methods for securing a network using one or more controllers and one or more network nodes. A method may utilize a packet processing engine configured to process incoming network packets, a processing analysis engine configured to perform relatively more complex processing and analysis, and one or more controllers configured to coordinate one or more packet processing engines and one or more processing analysis engines across a network to perform endpoint threat detection and mitigation.

TECHNICAL FIELD

The present disclosure relates to systems and methods of securing anetwork and, more particularly, to systems and methods of dynamic zoneprotection of networks.

BACKGROUND

Some methods and systems of securing a network are mostly based onhardware. One of the fundamental problems with hardware-based securityis that it lacks the ability to perform computationally complex andintensive processing for threat detection, for example, where multiplesources have to be correlated before deciding that a data flow containsa threat, in addition to performing threat mitigation based on suchdetections. Moreover, conventional methods and systems typically providelimited options to dynamically program and update. Due to the use ofhigh data rates (e.g., 100 gbps), it has become insufficient to utilizeconventional methods and systems by simply applying more computingresources to threat detection/mitigation without considering how thosecomputing resources may be used in an efficient and effective mannerwhile keeping up with the high throughput demands of higher scalenetwork traffic.

Therefore, there is a need for systems and methods for creatingrelatively more complex and computation intensive processing that mayleverage available hardware capabilities by incorporating horizontal andvertical scaling approaches to the use of such hardware. That is, thereis a need to achieve more efficient and effective threat detection andmitigation without relying on specific hardware performance.

SUMMARY OF THE DISCLOSURE

Embodiments of the present disclosure include systems and methods fordynamic zone protection.

According to certain embodiments, a computer-implemented method ofsecuring a network using one or more controllers and one or more networknodes is disclosed. The computer-implemented method may include:receiving data packets at a packet processing engine of a first networknode of the network; forwarding, by the packet processing engine, thereceived data packets to one or more processing analysis engines of thefirst network node; retrieving, by the packet processing engine, one ormore attributes associated with one or more predetermined data packetsof interest; identifying and comparing, by the packet processing engine,one or more attributes of the received data packets to the one or moreattributes associated with the one or more predetermined data packets ofinterest; processing, by the packet processing engine, the received datapackets, a session associated with the received data packets, and/or adata flow associated with the received data packets based at least inpart on the comparison; analyzing, by at least one processing analysisengine, the forwarded data packets, a session associated with theforwarded data packets, and/or a data flow associated with the forwardeddata packets in parallel with the identifying and comparing stepperformed by the packet processing engine; and transmitting, by the atleast one processing analysis engine, the analysis of the forwarded datapackets, associated session, and/or associated data flow to the one ormore controllers and/or one or more additional network nodes of thenetwork; wherein the one or more controllers are configured to controlthe first network node to (i) update the one or more predetermined datapackets of interests based on the received analysis and (ii) transmitone or more attributes associated with the updated one or morepredetermined data packets of interest to the one or more additionalnetwork nodes and/or one or more agent nodes.

In accordance with another embodiment, a system for securing a networkis disclosed. The system may include: a first network node comprising afirst packet processing engine and one or more processing analysisengines including a first processing analysis engine; and one or morecontrollers configured to control at least the first network node. Thefirst packet processing engine may be to: receive and forward datapackets to the first processing analysis engine, retrieve one or moreattributes associated with one or more predetermined data packets ofinterest, identify and compare one or more attributes of the receiveddata packets to the one or more attributes associated with the one ormore predetermined data packets of interest, and process the receiveddata packets, a session associated with the received data packets,and/or a data flow associated with the received data packets based atleast in part on the comparison. The first processing analysis enginemay be configured to: analyze the forwarded data packets, a sessionassociated with the forwarded data packets, and/or a data flowassociated with the forwarded data packets in parallel with theidentifying and comparing step performed by the first packet processingengine, and transmit the analysis of the forwarded data packets,associated session, and/or associated data flow to one or morecontrollers and/or one or more additional network nodes of the network.The one or more controllers may be configured to control at least thefirst network node to: (i) update the one or more predetermined datapackets of interests based on the received analysis and (ii) transmitone or more attributes associated with the updated one or morepredetermined data packets of interest to the one or more additionalnetwork nodes.

In accordance with another embodiment, a system for securing a networkis disclosed. The system may include: an agent node; a first networknode comprising a first packet processing engine and one or moreprocessing analysis engines including a first processing analysisengine; and one or more controllers. The agent node may be configured totransmit one or more messages regarding a network connected device to afirst processing analysis engine of a first network node and/or one ormore controllers, wherein the network connected device is connected tothe first network node of the network. In some embodiments, the firstpacket processing engine may be configured to: receive and forward aplurality of data packets to the first processing analysis engine,retrieve one or more attributes associated with one or morepredetermined data packets of interest, identify and compare one or moreattributes of the received data packets to the one or more attributesassociated with the one or more predetermined data packets of interest,and process the received data packets, a session associated with thereceived data packets, and/or a data flow associated with the receiveddata packets based at least in part on the comparison. The firstprocessing analysis engine may be configured to: analyze the forwardeddata packet, a session associated with the forwarded data packets,and/or a data flow associated with the forwarded data packets at leastbased on the received one or more messages regarding the networkconnected device in parallel with the identifying and comparing stepperformed by the first packet processing engine, and transmit theanalysis and/or the one or more messages regarding the network connecteddevice to the one or more controllers. The one or more controller may beconfigured to control at least the first network node to: (i) update theone or more predetermined data packets of interests based on thereceived analysis and the one or more messages regarding the networkconnected device and (ii) transmit one or more attributes associatedwith the updated one or more predetermined data packets of interest tothe one or more network nodes.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate various exemplary embodiments andtogether with the description, serve to explain the principles of thedisclosed embodiments.

FIG. 1 depicts a schematic diagram illustrating an example of a computernetwork and environment within which the computer systems and methodsdisclosed herein are implemented according to some embodiments of thepresent disclosure.

FIG. 2 depicts a schematic diagram illustrating an example of a computernetwork and environment within which the computer systems and methodsdisclosed herein are implemented according to some embodiments of thepresent disclosure.

FIG. 3A depicts a security system lacking dynamic zone protection.

FIG. 3B depicts an exemplary security system implementing dynamic zoneprotection, according to embodiments of the present disclosure.

FIG. 4 depicts an exemplary network node according to embodiments of thepresent disclosure.

FIG. 5 depicts an exemplary controller, deep-path engine, and fast-pathengine according to embodiments of the present disclosure.

FIG. 6 depicts an exemplary network node architecture according toembodiments of the present disclosure.

FIGS. 7A-7B depict network nodes comprising deep-path and fast-pathengines in various modes according to embodiments of the presentdisclosure.

FIG. 8 depicts an exemplary application of dynamic zone protectionaccording to embodiments of the present disclosure.

FIG. 9 depicts another exemplary application of dynamic zone protectionaccording to some embodiments.

FIG. 10 depicts an exemplary method of securing a network using one ormore controllers and one or more network nodes, according to exemplaryembodiments of the present disclosure.

DETAILED DESCRIPTION OF EMBODIMENTS

Reference will now be made in detail to the exemplary embodiments of thedisclosure, examples of which are illustrated in the accompanyingdrawings. Wherever possible, the same reference numbers will be usedthroughout the drawings to refer to the same or like parts.

One of the challenges associated with providing threat protection acrossan organization is providing threat protection that scales across theorganization (e.g., across multiple networks, multiple users, multiplesites, multiple zones, as will be described in further detail below) atdata line rates once a threat is detected at a single point within theorganization environment. The embodiments disclosed herein are directedto specialized software architecture and design that provide acombination of the high throughput detection and sophisticatedprocessing required to handle deeper correlation/analysis of cyberthreats across a large-scale organization environment. In the context ofthe current disclosure, an organization environment may include anynetworked environment associated with a business, enterprise, and/ororganization.

In the context of the current disclosure, dynamic zone protection refersto a method and system for securing a network using one or morecontrollers, one or more network nodes, and/or one or more agent nodesin accordance to the embodiments disclosed herein. In some embodiments,dynamic zone protection may include the following components as will bedescribed in further detail below: a packet processing engine configuredto process incoming network packets, a processing analysis engineconfigured to perform relatively more complex processing and analysis,endpoint threat detection and mitigation that may be performed utilizingthe packet processing engine and the processing analysis engine, and oneor more controllers configured to coordinate one or more packetprocessing engines and one or more processing analysis engines across anetwork. That is, the aforementioned components may be utilized toprovide security for various network-connected devices within a networkas part of a dynamic zone protection scheme. For example, the overalltasks associated with threat detection and mitigation may be distributedamongst and across the components, as will be described in furtherdetail below; however, it should appreciated that any of the componentsmay be combined with each other into combined devices, or separated intoseparate devices, whether physical, remote, virtual, or otherwise, asdesired. In the context of the current disclosure, a network connecteddevice may therefore refer to any physical device connected to a networkwhether local or remote, as well as any virtual devices and/or virtualservices (e.g., micro-services) running on such devices included in thenetwork or remote from the network. For example, a network connecteddevice may include any computing device, e.g., server, a mobile device,a desktop computer, a payment terminal with a computer chip, etc. or anyother device or service in communication with the network.

Accordingly, the embodiments disclosed herein may provide a threatdetection and mitigation capability that provides dynamically drivenprotection across a network and system, for example, of an enterprise.In some embodiments, the network and system may be located on siteand/or in the cloud, or any combination of local and cloud locations ofthe network.

Some advantages provided by the embodiments disclosed herein mayinclude: (1) the ability to perform higher speed threat detection andmitigation across multiple network locations simultaneously; (2)coordinated action across network and endpoint providing unifiedprotection of network without requiring human action or significantsystems delay; and (3) ability to scale such unified protection in anenvironment where networks and endpoints have different speeds andcompute capability, thereby allowing protection to dynamically apply toboth lower and higher speed environments with the same detection andmitigation logic.

Turning now to the figures, FIG. 1 shows a block diagram of a computernetwork and environment (hereinafter referred to as system 100) forimplementing embodiments of the present disclosure, or aspects thereof.System 100 may include one or more network nodes 102A-102D, one or moreendpoints 104A-104D, one or more agent nodes 106A-106B, and one or morecontrollers 108. As shown in FIG. 1, one or more switches, firewallmodules, routers, and/or router-switch processors may interconnect theaforementioned network nodes 102A-102D, endpoints 104A-104D, agent nodes106A-106B, and/or controllers 108. The network nodes 102A-102D,endpoints 104A-104D, agent nodes 106A-106B, and/or controllers 108 maybe connected to the internet 110 through the one or more switches,firewall modules, routers, and/or router-switch processors. It isunderstood that the system 100 may include less than or more than thenumber of network nodes, endpoints, agent nodes, and/or controllersdepicted in the FIG. 1 in other embodiments.

The one or more network nodes 102A-102D may form a distributed controlplane. The controller 108 may be configured to manage the distributedcontrol plane. In some embodiments, the controller 108 may manage thedistributed control plane by alerting, automating, and/or implementingworkflow integrations for the network nodes 102A-102D. Accordingly, thecontroller 108 may be referred to as a policy decision point for thesystem 100. For example, policies such as automation and/or workflowintegrations for the one or more network nodes 102A-102D may bedetermined by the controller 108. In some embodiments, any combinationof the one or more network nodes 102A-102D may comprise the controller108.

The one or more network nodes 102A-102D may be configured to providevisibility to a network associated with each respective network node102A-102D and enforce predetermined policies, e.g., automation and/orworkflow integrations. For example, network nodes 102A-102D may provideconnection reports, e.g., to the controller 108, to provide suchvisibility. In some embodiments, the controller 108 may update policiesfor the one or more network nodes 102A-102D based on such reports.Network nodes 102A-102D may be deployed in a transparent or anon-transparent mode, as shown below and described with reference toFIGS. 7A-7B.

In some embodiments, a network node 102A may provide access to aperimeter network including DMZ services, such as, web servers, mailservers, FTP servers, VoIP servers, and the like. In such embodiments,network node 102A may provide visibility to the perimeter network andenforce predetermined polices for the perimeter network. In someembodiments, a network node 102B, 102D may provide access to an internalnetwork Local Area Network (LAN), such as a database workgroup, userworkgroup, port, VLAN, application, network services, and the like. Insuch embodiments, network node 102B, 102D may provide visibility to theinternal LAN and enforce predetermined policies for the internal networkLAN. For example, network node 102B, 102D may transmit informationincluding processes, users, and/or files associated with each respectivenetwork. In some embodiments, a network node 102C may be associated with(e.g., provide access to) cloud networks such as an object storageservice (e.g., S3 bucket). In such embodiments, network node 102C mayprovide visibility to the cloud network and enforce predeterminedpolicies for the cloud network.

In some embodiments, a network node 102D may communicate with one ormore agent nodes 106A-106B associated with one or more endpoints104C-104D. The one or more endpoints 104C-104D may include one or morenetwork connected devices according to some embodiments. The networknode 102D may obtain information regarding the one or more endpoints104C-104D via the one or more agent nodes 106A-106B, as will bedescribed in further detail below.

Agent nodes 106A-106B may provide visibility regarding each associatedendpoint 104C-104D and may also enforce predetermined policies for theendpoints 104C-104D. In some embodiments, an agent node 106A-106B maycomprise a browser plugin, a process memory-dumper, plugin framework,etc. For example, a browser plugin may be configured to detect maliciousURLs inside encrypted connections. As another example, a processmemory-dumper may be configured to inspect and capture in-memory andrunning processes. The process memory-dumper may be further configuredto automate connection to a controller 108 for disassembly and forensicanalysis. As yet another example, plugin framework may provideextensions for additional host-based detection, deception and mitigationcapabilities via SQL query (e.g., OSQuery).

Agent nodes 106A-106B may be configured to query any software, e.g.,installed on an endpoint 104C-104D, without requiring the software to berunning. In some embodiments, agent nodes 106A-106B may detectvulnerable software across an organization, e.g., system 100, therebyproviding useful information for asset inventory and compliance. Forexample, the agent nodes 106A-106B may query for and determinevulnerable versions of a web browser. In some embodiments, agent nodes106A-106B may be configured to query any active processes and relatedconnections. For example, the agent nodes 106A-106B may query for aspecific open port. As another example, the agent nodes 106A-106B mayquery for any open remote ports. The agent nodes 106A-106B may beconfigured to query active users and associated processes andconnections. For example, the agent nodes 106A-106B may query userexecuted specific process and retrieve the process path. As anotherexample, the agent nodes 106A-106B may query file-less processes withremote connections. In some embodiments, the agent nodes 106A-106B mayperform queries on any connected devices.

FIG. 2 shows a block diagram of a computer network and environment(hereinafter referred to as system 200) for implementing embodiments ofthe present disclosure, or aspects thereof. As shown in FIG. 2, thesystem 200 may comprise a management plane 210 including a controller208, a first zone proxy 212A, a second zone proxy 212B, securityinformation and event management system (SIEM) 214, security operationsworkflow management system 215, intelligence scoring system 216, andopenflow controller 218. SIEM 214 may be configured to aggregate and/orview security logs and alerts. Security operations workflow managementsystem 215 may be configured to coordinate threat mitigation based oncertain triggers, e.g., such as certain detected threats, and invokechanges in the system 200 to mitigate the threat and/or reflect thecoordinated threat mitigation. Intelligence scoring system 216 may beconfigured to aggregate information associated with identified and/orpotential threats, e.g., information provided by external systems and/orinformation based on threats detected and mitigated by the system 200,and determine scores for threats relevant to system 200. In someembodiments, an openflow controller 218 may be configured to use theOpenFlow protocol to connect and configured network devices, e.g., oneor more switches, firewall modules, routers, and/or router-switchprocessors as depicted in FIG. 1, to determine optimal paths for networktraffic. It is understood that the openflow controller 218 may be anyappropriate software-defined network (SDN) controller in someembodiments. System 200 may further comprise one or more data planezones 220A-220B. As shown in FIG. 2, each data plane zone 220A-220B mayinclude a network node 202A-202B, an endpoint 204A-204B, an agent node206A-206B, and an agent controller 214A-214B. An agent controller214A-214B may be configured to communicate with a zone proxy 212A-212Band manage one or more associated agent node 206A-206B, as will bedescribed in further detail below.

The controller 108 may manage each data plane zone 220A-220B via adedicated proxy 212A-212B as shown in FIG. 2. It is understood thatthere may be less than or more than two data plane zones in otherembodiments. Cross domain communications, e.g., communications betweenthe management plane 210 and the data plane zones 220A-220B, may beperformed via the proxy 212A-212B and each dedicated data plane zone220A-220B, e.g., network node 202A-202B and/or agent controller214A-214B. Accordingly, zone-specific actions may be defined by themanagement plane 210 and dynamically managed throughout the system 200,as will be described in further detail below.

In some embodiments, management plane 210 communications may includepolicy, intelligence, distribution, and/or monitoring and/or statistics.For example, the controller 208 may transmit information includinglogging, events, and/or alerts to the SIEM 214. As another example, thecontroller 208 may perform workflow orchestration based on the securityoperations workflow system 215. As another example, the controller 208may obtain threat scores from the intelligence scoring system 216. Asyet another example, the controller 208 may communicate with theopenflow controller 218 to determine optimal paths for network traffic.In some embodiments, management plane 210 communications may beencrypted.

In some embodiments, data plane communications may include communicationbetween the agent controller 214A-214B and the agent node 206A-206B. Anagent controller 214A may be configured to manage one or more agentnodes 206A within data plane zone 220A. The agent controller 214A may beconfigured to provide configuration management to agent node 206A andtransmit image distribution and log aggregation information from theagent node 206 to the management plane 210 via zone proxy 212A. It isunderstood that data plane zone 220A may include two or more agent nodeseach associated with a separate endpoint in other embodiments. In suchembodiments, the agent controller 214A may be configured to manage thetwo or more agent nodes in data plane zone 220A.

FIG. 3A depicts a conventional single point security system 300A. Thesingle point security system 300A may detect an infection 305 in thenetwork via network node 302C. As shown in FIG. 3A, this may leave otherpoints, e.g., end points 304A-304B, within the network vulnerable to theinfection 305 while the single point security network 300A detects andattempts to mitigate the infection at network node 302C. Accordingly, insuch single point security systems 300A, an administrator must applyboth detection and mitigation across an entire network that requirescoverage, e.g., network nodes 302A-302C. For example, the administratormust manually detect and stop horizontal and/or lateral movement of theinfection. As another example, the administrator must manually detectand stop multiple systems from being leveraged for command and control(C2) or exfiltration malware.

FIG. 3B depicts an exemplary security system 300B, according to someembodiments. The security system 300B provides dynamic zone protection,as disclosed herein, which enables detection at any single point, e.g.,network nodes 312A-312C, within a network. As shown in FIG. 3B, securitysystem 300B may provide zone detection via network nodes 312A-312C tosimultaneously detect the infection 305. In some embodiments, the zonedetection may be applied across the security system 300B based on apredetermined policy. In some embodiments, the predetermined policy mayinclude zone-specific actions, thereby protecting each of the endpoints314A-314C included in the network.

FIG. 4 depicts a network node 400, according to some embodiments. Thenetwork node 400 may include a packet processing engine 410 and aprocessing analysis engine 420, according to some embodiments. Whileonly one processing analysis engine 420 is depicted in FIG. 4, it isunderstood that the network node 400 may include two or more processinganalysis engines in other embodiments.

In some embodiments, the packet processing engine 410 may be deployedinline to a network. The packet processing engine 410 may receiveingress data packets, e.g., IPv4 and/or IPv6 data packets. In someembodiments, the packet processing engine 410 may include a trafficmerge component 412 in which the received data packets may betemporarily stored. The packet processing engine 410 may forward eachreceived data packet to the processing analysis engine 420. The packetprocessing engine 410 may include a traffic replica component 414configured to generate a replica of each temporarily stored data packet.In some embodiments, the traffic replica component 414 may be configuredto generate a pointer for each temporarily stored data packet. In suchembodiments, the traffic replica component 414 may share the generatedpointers with the processing analysis engine 420, thereby enabling theprocessing analysis engine 420 to use the generated pointers to accessthe stored data packets. In some embodiments, the traffic replicacomponent 414 may generate a copy of each temporarily stored datapacket. In such embodiments, the traffic replica component 414 maytransmit the generated copies to the processing analysis engine 420.

The packet processing engine 410 may further include a traffic basicfilter component 415 configured to check if one or more attributesassociated with the temporarily stored data packets match predeterminedattributes. For example, the predetermined attributes may include asource, destination IP, port, protocol, etc. In some embodiments, thepredetermined attributes may be associated with data packets, sessions,and/or data flow that may be malicious, e.g., C2 and/or exfiltrationmalware. If attributes associated with one or more data packets do notmatch predetermined attributes, the one or more data packets may beforwarded to the intended destination via a switching component 418.

If attributes associated with the temporarily stored one or more datapackets matches the predetermined attributes, an Packet Processing Unit(PPU) engine component 416 may be configured to perform a dynamic actionon the one or more data packets, a session associated with the one ormore data packets, and/or a data flow associated with the one or moredata packets. In some embodiments, the PPU engine component 416 maycomprise a micro-program that includes an activation rule andmicro-compiled code that is executed if the activation rule matches. Insome embodiments, the micro-compiled code may be executed to respond to,copy, drop, route, and/or modify the one or more data packets. In someembodiments, the PPU engine component 416 may further include state andmemory useful for subsequent re-execution of the micro-program. Themicro-program may further include executing a program, one or more datapackets, a session, and/or a data flow based on the one or more datapackets. The micro-program may comprise of both states and instructions.In some embodiments, the one or more data packets may be transparentlyrouted to a deception server. In the context of the current disclosure,a deception server may be referred to a server that acts like alegitimate server for the purpose of gathering information about amalicious actor and/or entity (also referred to collectively as“adversary”) including what the adversary is trying to exploit and wherethe adversary is trying to gather information from. For example, thedeception server may be utilized to detect SQL injection attempts. Insome embodiments, the one or more data packets may reflect un-allowedtraffic to bad domains. In such embodiments, the one or more datapackets may be detected and redirected without detection by anadversary. In some embodiments, the one or more data packets may reflectencrypted malware. In such embodiments, the threat may be mitigated bydropping the one or more data packets.

The packet processing engine 410 may communicate such performed dynamicactions to the controller 408 and/or one or more network nodes430A-430C. In such embodiments, the controller 408 and/or the one ormore network nodes 430A-430C may dynamically detect and mitigate similardata packets based on the communication.

The processing analysis engine 420 may include a traffic replicareceiver 422 configured to receive replicas of the temporarily storeddata packets for a deep analysis of the data packets, as will bedescribed in further detail below. The data packet replicas may beutilized by the detection module 424, which may include an eventdetection module 428 and one or more event handler modules 426A-426C.The detection module 428 may be configured for a deep analysis ofsessions, file extractions, intelligence correlation, and many othersimilar higher-level data signals analysis performed across multiplepacket contexts including network and endpoint information. For example,the event detection module 428 may be configured to detect predeterminedprotocols and/or malware. In the context of the current disclosure,intelligence correlation may refer to identifying attributes associatedwith detected IPs, domains, C2s, and behaviors and utilizing suchidentified attributes to detect similar associated threats in otherenvironments. Each detected protocol and/or malware may be referred toas an event, and the event handler modules 426A-426C may be configuredto perform an analysis of an event. In some embodiments, an eventhandler module 426A may obtain information from an agent node 406regarding an associated endpoint. The agent node 406 may providevisibility to a process, user information associated with executing theprocess, network and/or file state on the endpoint, and/or ownership offiles such that the information gained by that visibility may be used bythe event handler module 426A for detection and coordination with thepacket processing engine 410. For example, the event handler module 426Amay query for information, run scans for malware on demand, and/orcollect process images. Each of the event handler modules 426A-426C maybe configured to detect predetermined protocols and/or obtain PPUs basedon mitigation and detection macro-logic. For example, the event handlermodules 426A-426C may obtain and/or generate micro-programs that includean activation rule and micro-compiled code that may be executed if theactivation rule matches. The event handler modules 426A-426C may deploysuch micro-programs to the packet processing engine 410 (e.g., trafficbasic filter component 415, PPU engine component 416, and/or switchingcomponent 418).

In some embodiments, the controller 408 may receive messages from thepacket processing engine 410, the agent node 406, and the processinganalysis engine 420 such that those messages may be processed, organizedand redistributed to other connected components, such as other networknodes 430A-430C, based on predetermined policies. For example, thecontroller 408 may perform a security analysis of the network includingthe network node 400, log the analysis, and/or perform and protocol ormalware analysis based on the received messages. In some embodiments,the received messages may include endpoint process data obtained fromthe agent node 406, network metadata, associated PPUs, etc.

FIG. 5 depicts a scaling processing according to some embodiments. Insome embodiments, the packet processing engine 510 may be low latencyand include a packet engine 512 configured to receive incomingun-analyzed traffic, e.g., incoming data packets, and share a replica ofthe incoming traffic with the processing analysis engine 520. In someembodiments, the packet engine 512 may include the traffic mergecomponent 412, the traffic replica component 414, and the traffic basicfilter components 415, as described above with reference to FIG. 4. Thepacket processing engine 510 may determine whether one or moreattributes associated with the incoming traffic matches predeterminedattributes. One or more deployed PPU engines 416 may be applied toincoming traffic as a result of determining that there is a match.

As shown in FIG. 5, the processing analysis engine 520 may be configuredto perform a deep analysis of the incoming traffic based on the receivedreplicated traffic. While only one processing analysis engine 520 isdepicted in FIG. 5, it is understood that there may be more than twoprocessing analysis engines in other embodiments. Additionally, theplurality of processing analysis engines may be located in one or morenetwork nodes. That is, the deep analysis may be conducted on adistributed control plane. Referring back to processing analysis engine520, the replicated traffic may include a replica of the one or moreincoming data packets, a session associated with the incoming datapackets, and/or a data flow associated with the incoming data packets.The processing analysis engine 520 may include scripts running one ormore instances and making decisions with respect to each of the obtainedreplicas as processes 1, 2, . . . , N. The processes 1-N, i.e., thedecision making process, may be based on one or more rules received fromthe controller 508. In some embodiments, the controller 508 may includea data store including a control rule table 504. The control rule table504 may include various rules and/or actions to be applied in certainsituations, for example, based on the detection of certain attributesassociated with data packets and/or behaviors associated with maliciousactivities represented in the data packets. An extended control module502 may relay such rules and/or actions to the processing analysisengine 520 to take into consideration for the decision making processes.In some embodiments, one or more actions may be determined for theprocesses 1-N, which may be relayed to a dispatcher 522. The dispatcher522 may determine and/or obtain one or more PPU engines (i.e.,micro-programs) for the determined actions. The one or more PPU enginesmay be deployed to the packet processing engine 510 via a receptor 514such that the packet processing engine 510 may apply the deployed one ormore PPU engines to currently incoming or future data packets, sessions,and/or data flows.

FIG. 6 depicts an exemplary embodiment of a network node architecture600 according to some embodiments. The modules, interfaces, and/orengines depicted in FIG. 6 may be implemented utilizing C, C++, hardwarecomponents, firmware, and/or compiled scripting languages, and anyappropriate coding language. Accordingly, the network node architecture600 as depicted in FIG. 6 may support both virtual and physicaldeployments. Network node 600 may include a low-latencynetwork-optimized operating system 640 and hardware 646 for processinganalysis 620 components and packet processing 610 components, as shownin FIG. 6. It is understood that the number of each component forprocessing analysis 620 and packet processing 610 shown in FIG. 6 mayvary and the components may be rearranged in varying combinations insome embodiments.

Processing analysis 620 components may include network securityapplications 601, controller interconnect 622, endpoint agentsinterconnect 624, multi-switch cluster interconnect 626, hypervisor 629,one or more virtual machines 628A-628B, and security engine 630,according to some embodiments. Network security applications 601 mayinclude one or more application may run on the network node 600 toanalyze, detect, and/or mitigate threats, as described herein.Controller interconnect 622 may be configured to provide a connectionbetween the network node 600 controller, e.g., security engine 630, andthe rest of the system such as system 100 and 200 described above withreference to FIGS. 1 and 2. Endpoint agents interconnect 624 may be anagent controller as described above with reference to FIG. 2. As shownin FIG. 6, the endpoint agents interconnect 624 may be embedded on thenetwork node 600 in some embodiments. In other embodiments, the endpointagents interconnect 624 may be provided as a component separate from thenetwork node 600, for example, as shown in FIG. 2. Multi-switch clusterinterconnect 626 may be configured to logically interconnect multiplenetwork nodes such that the network nodes may communicate and exchangedata. For example, the exchanged data may be directed to informationabout detected malicious hosts or network sessions or about specifictraffic routes such as updated network routing tables on each networknode in order to deliver traffic correctly. Hypervisor 629 (alsoreferred to as virtual machine monitor) may be computer software,firmware and/or hardware that creates and runs virtual machines628A-628B. Security engine 630 may be referred to as a core service forsecurity supporting the network security applications 601. For example,security engine 630 may include an endpoint query engine 632 configuredto collect information from various endpoints, for example, using theendpoint agents interconnect 624. In some embodiments, the endpointquery engine 632 may be an interface configured to allow securityapplications to query various endpoints via agent nodes, as describedherein. Security engine 630 may include a network sessions collector 634configured to collect network sessions directed to and from the networknode 600. Security engine 630 may include a file extractor 636configured to extract files shared over the network. Security engine 630may also include a geoIP and geolocation 638 interface configured todetermine a geographic location of an IP address.

Packet processing 610 components may include a filter engine 619 and PPUengine 618 as described above with reference to FIGS. 4-5. Packetprocessing 610 components may include a software defined traffic switch612, network switch logic 616, network kernel bypass 642, and otherlow-level network modules 614, e.g., network traffic switching modulesor network traffic routing modules. Network traffic switching modulesmay be configured to switch packets across multiple physical ports basedon MAC address or IP. Network traffic routing modules may be configuredto send packets to specific hosts based on IP. Software defined trafficswitch 612 may be configured to provide software controlled networkswitching to allow directing traffic within a network node, e.g., thenetwork node 600, between the various components and/or supportingmultiple ports for a single network node, e.g., network node 600.Network switch logic 616 may be logic applied for routing of internalforwarding, e.g., data packet forwarding. Network kernel bypass 612 mayallow routing of packets without delay and interference from the kernel.

FIGS. 7A-7B depict network nodes in various modes according to someembodiments. FIG. 7A depicts a network node in a transparent mode (alsoreferred to as an address mode). In the context of the currentdisclosure, address mode may refer to a network node 702A, in which IPnetwork is visible, and provides distinct network interfaces. In theaddress mode, data-plane MAC or IP address may be utilized.

FIG. 7B depicts a network node 702B deployed in a transparent mode (alsoreferred to as a link-only mode). In the context of the currentdisclosure, link-only mode may refer to a network node 702 in which aMAC or IP network is not discoverable while providing detection andmitigation. In the link-only mode, data-plane MAC or IP address is notrequired, and the network node 702B may provide a reduced attack surfacefor malicious activities.

FIG. 8 depicts an exemplary application of dynamic zone protectionaccording to some embodiments disclosed herein. In step 81, an endpoint804 may request access to a domain, e.g., Domain A. In response to therequest, network node 804A may extract information from the requestaccess and investigate Domain A by communicating with componentsincluded in management plane 810. For example, the network node 804A maytransmit an alert to an operations workflow management system 818 viathe controller 808 (step 82A) about the event (e.g., the request accessto Domain A) and request information from a cloud intelligence system816 (step 82B) regarding the domain. In step 83, the cloud intelligencesystem 816 may respond with a determined score assigned to Domain A andindicate that the domain is a known C2. The network node 804A may applymitigation actions to block C2 from Domain A. Once the mitigationactions have been applied, the network node 804A may transmit a reportto the controller 808 (step 84) reporting the applied mitigation actionsand the relevant Domain A information, e.g., the determined score andthe indication that the domain is a known C2. The controller 808, inturn, may then replicate the report and notify the other network nodes804B-804D in step 85. Accordingly, future C2 attempts associated withDomain A may be mitigated at all of the network nodes 804A-804D (i.e.,the distributed control plane) without having to query the managementplane 810.

FIG. 9 depicts an exemplary application of dynamic zone protectionaccording to some embodiments disclosed herein. In step 91, anintelligence management system 912 may transmit periodic reports to acontroller 908, which may include information regarding a variety ofmalicious activities. In some embodiments, the information may be storedin a zone intelligence framework database 909. In step 92, an endpoint904 may request access to a domain, e.g., Domain A. In response to therequest, network node 904A may extract information from the requestaccess and investigate Domain A by communicating with componentsincluded in management plane 910. For example, the network node 904A mayrequest information from the controller 908 (step 93) regarding thedomain. In step 94, the zone intelligence framework database 909 respondwith an indication that domain A is a known C2. In step 95, anoperations workflow management system 918 may be alerted about the event(e.g., the request access to Domain A). The network node 904A may applymitigation actions to block C2 from Domain A. Once the mitigationactions have been applied, the network node 904A may transmit a reportto the controller 908 (step 96) reporting the applied mitigation actionsand the relevant Domain A information, e.g., the indication that thedomain is a known C2. The controller 908, in turn, may then replicatethe report and notify the other network nodes 904B-904D in step 97.Accordingly, future C2 attempts associated with Domain A may bemitigated at all of the network nodes 904A-904D (i.e., the distributedcontrol plane) without having to query the management plane 910.

FIG. 10 depicts an exemplary method 1000 of securing a network using oneor more controllers and one or more network nodes according to someembodiments. The method 1000 may begin with step 1002 in which a packetprocessing engine of a first network node of the network may receivedata packets. In step 1004, the packet processing engine may forward thereceived data packets to one or more processing analysis engines of thefirst network node. In step 1006, the packet processing engine mayretrieve one or more attributes associated with one or morepredetermined data packets of interest. In step 1008, the packetprocessing engine may identify and compare one or more attributes of thereceived data packets to the one or more attributes associated with theone or more predetermined data packets of interest. In step 1010, thepacket processing engine may process the received data packets, asession associated with the received data packets, and/or a data flowassociated with the received data packets based at least in part on thecomparison. In some embodiments, processing the received data packets,the associated session, and/or the associated data flow may include thepacket processing engine responding to, copying, dropping, routing,and/or modifying the received data packets, the associated session,and/or the associated data flow based on the comparison. In someembodiments, processing the received data packets, the associatedsession, and/or the associated data flow may include the packetprocessing engine executing a program based on the comparison. In someembodiments, processing the received data packets, the associatedsession, and/or the associated data flow may include the packetprocessing engine creating a data packet, a session, and/or a data flowbased on the comparison.

In step 1012, the at least one processing analysis engine may analyzethe forwarded data packets, a session associated with the forwarded datapackets, and/or a data flow associated with the forwarded data packetsin parallel with the identifying and comparing step performed by thepacket processing engine in step 1008. In step 1014, the at least oneprocessing analysis engine may transmit the analysis of the forwardeddata packets, the associated session, and/or the associated data flow tothe one or more controllers and/or one or more additional network nodesof the network. In some embodiments, the one or more controllers may beconfigured to control the first network node to (i) update the one ormore predetermined data packets of interests based on the receivedanalysis and (ii) transmit one or more attributes associated with theupdated one or more predetermined data packets of interest to the one ormore additional network nodes and/or one or more agent nodes.

In some embodiments, the one or more processing analysis engines mayinclude a first processing analysis engine of the first network node ofthe network and a second processing analysis engine of a second networknode of the network.

In some embodiments, the one or more processing analysis engines mayreceive one or more messages transmitted by an agent node connected tothe first network node of the network. In some embodiments, the one ormore messages may describe information captured on a network connecteddevice, one or more networks associated with the network connecteddevice, a file state associated with the network connected device,and/or user information associated with the network connected device. Insome embodiments, the one or more processing analysis engines maytransmit the analysis and the one or more messages to one or morecontrollers. In such embodiments, the one or more controllers may beconfigured to: (i) update the one or more predetermined data packets ofinterests based on the received analysis and the one or more messages,and (ii) transmit the one or more attributes associated with the updatedone or more predetermined data packets of interest to the one or moreadditional network nodes.

In some embodiments, the one or more attributes associated with the oneor more predetermined data packets of interest may be stored in a datastore of the network node and/or the one or more controllers. Thenetwork node and/or the one or more controller may be configured toupdate the stored one or more attributes associated with the one or morepredetermined data packets of interest based on the one or moreattributes associated with the updated one or more predetermined datapackets of interest.

Program aspects of the technology may be thought of as “products” or“articles of manufacture” typically in the form of executable codeand/or associated data that is carried on or embodied in a type ofmachine readable medium. “Storage” type media include any or all of thetangible memory of the computers, processors or the like, or associatedmodules thereof, such as various semiconductor memories, tape drives,disk drives and the like, which may provide non-transitory storage atany time for the software programming. All or portions of the softwaremay at times be communicated through the Internet or various othertelecommunication networks. Such communications, for example, may enableloading of the software from one computer or processor into another, forexample, from a management server or host computer of the mobilecommunication network into the computer platform of a server and/or froma server to the mobile device. Thus, another type of media that may bearthe software elements includes optical, electrical and electromagneticwaves, such as used across physical interfaces between local devices,through wired and optical landline networks and over various air-links.The physical elements that carry such waves, such as wired or wirelesslinks, optical links, or the like, also may be considered as mediabearing the software. As used herein, unless restricted tonon-transitory, tangible “storage” media, terms such as computer ormachine “readable medium” refer to any medium that participates inproviding instructions to a processor for execution.

The many features and advantages of the disclosure are apparent from thedetailed specification, and thus, it is intended by the appended claimsto cover all such features and advantages of the disclosure which fallwithin the true spirit and scope of the disclosure. Further, sincenumerous modifications and variations will readily occur to thoseskilled in the art, it is not desired to limit the disclosure to theexact construction and operation illustrated and described, andaccordingly, all suitable modifications and equivalents may be resortedto, falling within the scope of the disclosure.

1-20. (canceled)
 21. A method comprising: forwarding, by a packetprocessing engine, a received data packet to a processing analysisengine; performing a comparison, by the packet processing engine, of anattribute of the received data packet to an attribute associated with apredetermined data packet of interest; processing, by the packetprocessing engine, the received data packet, a session associated withthe received data packet, and/or a data flow associated with thereceived data packet based at least in part on the comparison; andanalyzing, by a processing analysis engine, the forwarded data packet, asession associated with the forwarded data packet, and/or a data flowassociated with the forwarded data packet in parallel with thecomparison by the packet processing engine.
 22. The method of claim 21,wherein the processing analysis engine includes a first processinganalysis engine and a second processing analysis engine.
 23. The methodof claim 21, wherein the processing the received data packet, thesession associated with the received data packet, and/or the data flowassociated with the received data packet based at least in part on thecomparison comprises: responding to, copying, dropping, routing, and/ormodifying, by the packet processing engine, the received data packet,the associated session, and/or the associated data flow based at leastin part on the comparison; executing a program, by the packet processingengine, based at least in part on the comparison; and/or creating a newdata packet, a new session, and/or a new data flow, by the packetprocessing engine, based at least in part on the comparison.
 24. Themethod of claim 21, further comprising: receiving, by the of theprocessing analysis engine, a message from an agent node.
 25. The methodof claim 24, wherein the message describes information captured on anetwork connected device, a network associated with the networkconnected device, a file state associated with the network connecteddevice, and/or user information associated with the network connecteddevice.
 26. The method of claim 24, further comprising: transmitting, bythe processing analysis engine, a result of the analyzing and themessage to a controller, wherein the controller is configured to (i)update the predetermined data packet of interest based on the result ofthe analyzing and the message, and (ii) transmit the attributeassociated with the updated predetermined data packet of interest. 27.The method of claim 21, further comprising: storing the attributeassociated with the predetermined data packet of interest in a datastore, and updating the stored attribute associated with thepredetermined data packet of interest based on the attribute associatedwith an updated predetermined data packet of interest.
 28. A systemcomprising: a first packet processing engine and a first processinganalysis engine, wherein the first packet processing engine isconfigured to: forward a received data packet to the first processinganalysis engine, perform a comparison of an attribute of the receiveddata packet to attribute associated with a predetermined data packet ofinterest, and process the received data packet, a session associatedwith the received data packet, and/or a data flow associated with thereceived data packet based at least in part on the comparison, andwherein the first processing analysis engine is configured to: analyzethe forwarded data packet, a session associated with the forwarded datapacket, and/or a data flow associated with the forwarded data packet inparallel with the comparison performed by the first packet processingengine.
 29. The system of claim 28, further comprising a second packetprocessing engine and a second processing analysis engine, wherein thefirst packet processing engine is further configured to forward thereceived data packet to the second processing analysis engine, andwherein the second processing analysis engine is configured to analyzethe forwarded data packet, the associated session, and/or the associateddata flow in parallel with the comparison performed by the first packetprocessing engine.
 30. The system of claim 28, wherein the first packetprocessing engine is configured to: process the received data packet,the associated session, and/or the associated data flow by respondingto, copying, dropping, routing, and/or modifying the received datapacket, the associated session, and/or the associated data flow based atleast in part on the comparison; process the received data packet, theassociated session, and/or the associated data flow by executing aprogram based at least in part on the comparison; and/or process thereceived data packet, the associated session, and/or the associated dataflow by creating a new data packet, a new session, and/or a new dataflow based at least in part on the comparison.
 31. The system of claim28, further comprising: an agent node configured to transmit a message,wherein the message describes information captured on a networkconnected device, a network associated with the network connecteddevice, a file state associated with the network connected device,and/or user information associated with the network connected device.32. The system of claim 31, wherein the first processing analysis engineis configured to analyze the forwarded data packet at least based on thetransmitted message regarding the network connected device in parallelwith the comparison performed by the first packet processing engine. 33.The system of claim 31, wherein the first processing analysis engine isfurther configured to transmit analysis result of the analyzing and themessage to a controller, and wherein the controller is configured to (i)update the predetermined data packet of interest based on the result ofthe analyzing and the message, and (ii) transmit the attributeassociated with the updated predetermined data packet of interest. 34.The system of claim 28, further comprising: a data store configured tostore the attribute associated with the predetermined data packet ofinterest, wherein the stored attribute associated with the predetermineddata packet of interest is updated based on the attribute associatedwith an updated predetermined data packet of interest.
 35. The system ofclaim 28, further comprising a controller.
 36. A system comprising: anagent node configured to transmit messages regarding a network connecteddevice to a first processing analysis engine of a first network nodeand/or a controller, wherein the network connected device is connectedto the first network node; and the first network node comprises a firstpacket processing engine and a first processing analysis engine, whereinthe first packet processing engine is configured to: forward a receiveddata packet to the first processing analysis engine, perform acomparison of an attribute of the received data packet to attributeassociated with a predetermined data packet of interest, and process thereceived data packet, a session associated with the received datapacket, and/or a data flow associated with the received data packetbased at least in part on the comparison, and wherein the firstprocessing analysis engine is configured to: analyze the forwarded datapacket, a session associated with the forwarded data packet, and/or adata flow associated with the forwarded data packet at least based onthe received message regarding the network connected device in parallelwith the comparison performed by the first packet processing engine. 37.The system of claim 36, further comprising a second network nodecomprising a second packet processing engine and a second processinganalysis engine, wherein the first packet processing engine is furtherconfigured to forward the received data packet to the second processinganalysis engine, and wherein the second processing analysis engine isconfigured to analyze the forwarded data packet, the associated session,and/or the associated data flow in parallel with the comparisonperformed by the first packet processing engine.
 38. The system of claim36, wherein the first packet processing engine is configured to: processthe received data packet, the associated session, and/or the associateddata flow by responding to, copying, dropping, routing, and/or modifyingthe received data packet, the associated session, and/or the associateddata flow based at least in part on the comparison; process the receiveddata packet, the associated session, and/or the associated data flow byexecuting a program based at least in part on the comparison; and/orprocess the received data packet, the associated session, and/or theassociated data flow by creating a new data packet, a new session,and/or a new data flow based at least in part on the comparison.
 39. Thesystem of claim 36, wherein the message describes information capturedon the network connected device, a network associated with the networkconnected device, a file state associated with the network connecteddevice, and/or user information associated with the network connecteddevice.
 40. The system of claim 36, further comprising: a data storeconfigured to store the attribute associated with the predetermined datapacket of interest, wherein the controller and/or the first network nodeare configured to update the stored attribute associated with thepredetermined data packet of interest based on the attribute associatedwith an updated predetermined data packet of interest.